OpenWrt/LEDE Project

  • Status Unconfirmed
  • Percent Complete
    0%
  • Task Type Bug Report
  • Category Base system
  • Assigned To No-one
  • Operating System All
  • Severity Low
  • Priority Very Low
  • Reported Version Trunk
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by william wortel - 24.11.2021

FS#4154 - procd-ujail: makes dnsmasq refuse to answer dns queries

22/11/2021 compile for ramips device Ubiquiti EdgeRouter X sfp ; snapshot: r18166-e2c4998f6d
Choosing TARGET_ramips_mt7621_DEVICE_ubnt_edgerouter-x-sfp selects default the inclusion of procd-ujail .
This has the effect of dnsmasq being put in a jail.
The device can still make dns queries to upstream. But, depite dnsmasq listening on all interfaces, any incoming queries get the reply ‘REFUSED’. Easily tested on the device itself e.g. with the command ‘nslookup <some fqdn> localhost’ This leaves any devices downstream in the dark that via dhcp got the news to fetch their dns information from this jailed dnsmasq.
Exactly same configuration compile, but with procd-ujail manually removed, restores complete functionality of dnsmasq.


william wortel commented on 24.11.2021 09:41

additional info:
comparing in logread what is shown upon start of dnsmasq there is the difference :
with proc-ujail
dnsmasq[10121]: UBus support enabled: connected to system bus
dnsmasq[10121]: using only locally-known addresses for test
dnsmasq[10121]: using only locally-known addresses for onion
dnsmasq[10121]: using only locally-known addresses for localhost
dnsmasq[10121]: using only locally-known addresses for local
dnsmasq[10121]: using only locally-known addresses for invalid
dnsmasq[10121]: using only locally-known addresses for bind
dnsmasq[10121]: using only locally-known addresses for lan
dnsmasq[10121]: read /etc/hosts - 4 addresses
dnsmasq[10121]: read /tmp/hosts/dhcp.cfg01411c - 0 addresses

withhout procd-ujail:
dnsmasq[10121]: UBus support enabled: connected to system bus
dnsmasq[10121]: using only locally-known addresses for test
dnsmasq[10121]: using only locally-known addresses for onion
dnsmasq[10121]: using only locally-known addresses for localhost
dnsmasq[10121]: using only locally-known addresses for local
dnsmasq[10121]: using only locally-known addresses for invalid
dnsmasq[10121]: using only locally-known addresses for bind
dnsmasq[10121]: using only locally-known addresses for lan
dnsmasq[10121]: reading /tmp/resolv.conf.d/resolv.conf.auto
dnsmasq[10121]: using nameserver 192.168.1.1#53
dnsmasq[10121]: using only locally-known addresses for test
dnsmasq[10121]: using only locally-known addresses for onion
dnsmasq[10121]: using only locally-known addresses for localhost
dnsmasq[10121]: using only locally-known addresses for local
dnsmasq[10121]: using only locally-known addresses for invalid
dnsmasq[10121]: using only locally-known addresses for bind
dnsmasq[10121]: using only locally-known addresses for lan
dnsmasq[10121]: read /etc/hosts - 4 addresses
dnsmasq[10121]: read /tmp/hosts/dhcp.cfg01411c - 0 addresses

In both cases the unit does reach itself fqdn ddresses on the internet.
The jailed version however serves requests it receives with 'REFUSED'.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing